Help with setting up Duo Admin Panel and Shibboleth

IAM David Bantz dabantz at alaska.edu
Fri Jan 28 00:55:50 UTC 2022 

 I don’t recall so cannot explain why, but in our config for the Duo Admin
panel we specify using ePPN for the nameID with a named format of
“unspecified”.

David Bantz

On 27Jan2022 at 15:24:19, Melvin Lasky via users <users at shibboleth.net>
wrote:

> LOL about the logic. I thought the same. Hahahaha.
>
> Ok forgive my ignorance here as I usually don’t have many problems with
> this, what’s the best way to trace this? Web browser? SAMLTRACER extension?
> But don’t I need unencrypted assertions otherwise it’s gonna be all gobble
> gook right? Also, my logs in shib look good to me for it. I see it sending
> my Mail attribute.
>
> shib-idp;idp-process.log;dev;nothing; - [149.61.2.59]2022-01-27
> 23:37:25,638 - INFO [Shibboleth-Audit.SSO:283] -
> 2022-01-27T23:37:25.638103Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|DUO_5865aaf2ccf211d1a6cb78fc09cd90d6d971d12eabf3ac46d51f7609a946bdf5|
> https://admin-
> ourduonumber.duosecurity.com/saml/OURDUOSTUFF/metadata|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://ourshibserver.manhattan.edu/idp/sh
> ibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_fa30dd18e43297d0a286d029346f62d4|melvin.lasky||mail|||
>
> So I’m not even sure what to check LOL. It’s gotta be something stupid I
> have wrong somewhere.
>
> Mel
>
>
> *Melvin Lasky*
> Associate Director of Enterprise Architecture
> Riverdale, NY 10471 <x-apple-data-detectors://1/0>
> Phone: 718-862-7410
> melvin.lasky at manhattan.edu
> www.manhattan.edu
>
> On Jan 27, 2022, at 7:18 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>
> On 1/27/22, 7:14 PM, "Melvin Lasky" <melvin.lasky at manhattan.edu> wrote:
>
>   "I understand you're encountering the error outlined here,  which is
> basically either the SAML assertion was
>
> encrypted when your IdP doesn't support encrypted assertions
>
>
> That's a fascinating bit of logic.
>
>   The Certificate for signing is in the Duo Metadata file. I double
> checked that looks right.
>
>
> Well, an IdP can simply skip encryption if there's no key to use. Make
> sure the metadata file has a key marked for more than just signing, but
> more to the point, just trace it, don't waste time guessing what it's doing.
>
> -- Scott
>
>
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220127/a19d6fd2/attachment.htm>

More information about the users mailing list